DPDPA Compliance for Hospitals, Clinics & Healthcare Providers
Patient photos, before/after marketing, paediatric records and telemedicine recordings are now regulated personal data. Enforcement is live in 2026 — penalties reach Rs 250 crore per breach.
Indian healthcare runs on personal data — OPD forms, lab reports, MRI scans, WhatsApp prescription photos, before/after smile galleries on Instagram, IVF embryo records, paediatric vaccination charts and Zoom telemedicine recordings. Under the DPDPA 2023, every hospital, dental chain, fertility centre and standalone GP is a Data Fiduciary. Health data is sensitive by default, under-18 patients trigger Section 9 verifiable parental consent, and the Data Protection Board can impose penalties up to Rs 250 crore per breach. This page maps the Act to Indian clinical practice — not generic IT compliance.
Critical sections for Hospitals, Clinics & Healthcare
Your DPDPA obligations
Granular consent for each processing purpose
Treatment consent does not cover marketing, testimonials, doctor training videos, insurance TPA sharing or analytics. Each purpose needs a separate, itemised, withdrawable consent in English plus the patient's preferred Indian language.
Verifiable parental consent for under-18 patients
Paediatrics, vaccination, dental braces, child psychology and IVF records of minors require verifiable parental consent. No behavioural tracking, no targeted advertising, no profiling of children.
Purpose limitation on patient photos and scans
A pre-op photo taken for surgical planning cannot be reused on the clinic Instagram, in a doctor's CME deck, or on a hair-transplant landing page without fresh, specific consent naming each channel.
Data Principal rights: access, correction, erasure, grievance
Patients can demand a copy of their entire medical record, correct wrong allergies or diagnoses, withdraw marketing consent, and nominate someone if hospitalised. A named Grievance Officer must respond within the prescribed timeline.
Breach notification to the Board and patients
Ransomware on the HIS, a leaked Google Drive of OT photos, or a stolen receptionist laptop must be reported to the Board and affected patients without delay, not after the PR strategy is ready.
Processor contracts with labs, TPAs, cloud EMR and transcription vendors
Every Data Processor (Practo, diagnostic labs, insurance TPAs, AWS/Azure-hosted EMRs, medical transcription BPOs, WhatsApp Business API providers) needs a written DPDPA-compliant contract with audit rights and breach pass-through.
Reasonable security safeguards on PHI
Encryption at rest for HIS/EMR, role-based access (front desk should not see psychiatry notes), MFA on doctor logins, audit logs, and physical security on paper OPD slips and consent forms in storage.
Common violation scenarios
Cosmetic clinic posts before/after rhinoplasty photos on Instagram with only verbal consent from the patient
Up to Rs 200 crore per Section 33
Paediatric dental chain runs Meta retargeting ads tracking under-18 patients who visited the braces landing page
Up to Rs 200 crore plus suspension of processing
IVF clinic's shared Google Drive of embryo grading photos indexed by Google and discoverable
Up to Rs 250 crore
Hospital's telemedicine vendor records consultations and uses them to train an AI scribe without patient consent
Up to Rs 250 crore on fiduciary, joint liability with processor
Ransomware encrypts the HIS; hospital quietly pays and does not notify the 40,000 affected patients
Up to Rs 250 crore
Front-desk WhatsApp group shares OPD lists including HIV and psychiatry patient names with all receptionists
Up to Rs 250 crore plus civil suits
Industry-specific risks
- Before/after marketing photos reused across Instagram, website, hoardings and doctor LinkedIn without per-channel consent
- Paediatric and child-psychology patient data processed without verifiable parental consent under Section 9
- WhatsApp groups of doctors sharing patient X-rays, ECGs and lab reports with identifiers visible
- Telemedicine recordings stored indefinitely on Zoom/Teams cloud without retention policy or patient knowledge
- IVF and fertility data — gamete donor identities, embryo records — leaked through unsecured shared drives
- Third-party diagnostic labs and TPAs operating as processors without DPDPA-compliant contracts or breach pass-through clauses
Consent capture checklist
- Separate consent for treatment, marketing, testimonials, research and TPA/insurance sharing — not bundled into one OPD form
- Itemised consent naming each channel for photo use (clinic website, Instagram, Google Ads, brochures, doctor CME decks)
- Verifiable parental consent workflow for every patient under 18, with ID-based parent verification
- Consent form available in English plus the patient's preferred Indian language with literacy-appropriate phrasing
- Easy withdrawal mechanism — QR code, WhatsApp keyword, or one-click email link — as simple as giving consent
- Named Grievance Officer with response SLA displayed at reception, on website footer and on every patient communication
- Audit log showing what consent was given, when, by whom, and what was withdrawn — retrievable per patient on demand
- Re-consent triggered when purpose changes (e.g. new AI diagnostic tool, new marketing channel, new research study)
→ Generate a bilingual DPDPA consent form for Hospitals, Clinics & Healthcare
Frequently asked questions
Does verbal consent at the reception desk count under DPDPA?
No. Section 6 requires consent to be free, specific, informed, unconditional, unambiguous and demonstrable. A verbal nod cannot be produced as evidence to the Data Protection Board. You need a written, timestamped, channel-specific consent log — digital signature, OTP confirmation, or signed form.
Can we keep using patient before/after photos already on our Instagram?
Only if you can produce a specific consent for Instagram use, dated before the post. Legacy treatment-consent forms that said 'photos may be used for educational purposes' will not survive DPDPA scrutiny for marketing reuse. Audit your existing gallery and re-consent or take down.
We treat children for orthodontics and paediatric dentistry. What changes?
Section 9 mandates verifiable parental consent — you must verify the consenting adult is actually the parent or legal guardian, typically via government ID. Behavioural tracking, retargeting ads and profiling of under-18 patients is prohibited. Your Meta Pixel and Google Ads tags must exclude paediatric landing pages.
Are diagnostic labs and TPAs our problem under DPDPA?
Yes. They are Data Processors and you are the Data Fiduciary. You are accountable for their breaches. Every lab tie-up, TPA panel agreement and cloud EMR contract needs DPDPA clauses — purpose limitation, security obligations, breach notification within defined hours, audit rights and deletion on termination.
What is the realistic penalty exposure for a 50-bed hospital?
Section 33 caps penalties at Rs 250 crore for security failures and Rs 200 crore for children's data breaches and consent failures. A single ransomware incident on the HIS with no breach notification can comfortably trigger Rs 50-100 crore for a mid-sized hospital.
How long do we have to comply once enforcement begins?
DPDPA enforcement is live in 2026. There is no industry-specific grace period for healthcare. Start with a data inventory (every form, every system, every WhatsApp group), redesign consent at intake, lock down photo workflows, and renegotiate processor contracts — in that order.
Get a Hospitals, Clinics & Healthcare-specific compliance audit
Free 48-hour DPDPAReady audit — we map your exact workflow against every applicable Section and ship the consent forms, retention schedules, and breach playbooks you need.
Get your free audit →Article reviewed against DPDPA 2023, Schedule, and DPDPA Rules 2025.